Unlocking a Mac with an Apple Watch requires two-factor, not two-step, iCloud protection—what?

What’s the difference between two-step verification and two-factor authentication? A lot of frustration for people who were using the former and updated to macOS Sierra, only to see a perplexing error message when they tried to set up the watchOS 3 option that lets you unlock a Mac.

Apple treats these as two distinct systems that include an extra code to protect your account. But even people who have enabled either two-step or two-factor are hard pressed to understand which is which and what’s going on.

(This gets even more complicated if you were using two-step verification and had macOS set up to let you log in using your iCloud ID, because switching makes you give up iCloud-based Mac logins. We’ll have a separate Mac 911 column to help deal with that fallout.)

Step out and factor in

Apple introduced what it labelled two-step verification as a bandage after embarrassing break-ins to celebrity iCloud accounts in 2014. It appears that social engineering (talking someone out of credentials), password guessing and non-iCloud hacking were at work.

This ‘two-step’ method is more commonly called two-factor authentication (2FA). Factors are credentials that prove you should have access to a resource, like logging into a website or retrieving data. With two-step verification, when you log in to some (but not all) iCloud-related resources, like iCloud.com, you need two factors: your password and a code sent to an iOS device logged into the same iCloud account.

Without that second factor, the code, possessing the password does no good. That’s a way to minimise the risk of both ‘wholesale’ attacks, where crackers get huge numbers of passwords, and ‘retail’ attacks, where they figure out or obtain targeted accounts’ passwords. Without also being connected to an iOS device or obtaining someone’s mobile phone or hijacking their SMS, the password is useless.

Because two-step was hastily stapled on top of the existing iCloud, iOS and OS X ecosystem, it had a number of limits. It used the same conduit as Find My iPhone, popping up a code message in the same way as messages sent by Apple through that system. It didn’t work with all of Apple’s sites and services. It didn’t tell you about where the request originated. It didn’t work with Mac OS X. And you had to set it up via the Apple ID website, not through your own devices.

It was always a stopgap, and in June 2015, Apple previewed a much better implementation that it built for iOS 9 and OS X El Capitan, and which it rolled out slowly to users starting that September. The new system was deeply integrated into both OSes, and is set up via a Mac or iOS device. It shows you an approximate location from a log in attempt. And it’s required by almost every bit of Apple’s Apple ID and iCloud-based ecosystem. It also added automated voice calls on top of SMS as a backup method to send a code.

Despite it starting to be available for some users as early as October 2015, it took five or six months before my account showed it as ready to use.

(In truth, neither system is really 2FA, because the rubric of factors is ‘someone you know, something you have, and something you are’. A two-factor system picks two: you know a password, and you have a device that receives a code. A code sent to a phone or via SMS or voice is more like a second password, because it’s doesn’t precisely prove you ‘have’ something.)

But here’s the thing: it sounds from the way Apple has discussed two-step and two-factor that most users didn’t take advantage of two-step due to confusion and inconvenience in setting up; the 2FA replacement is much better, easier to configure, and shows up as an option when you’re configuring security.

Because 2FA only works starting with iOS 9, watchOS 2, and El Capitan, Apple hasn’t pulled the plug on two-step. Which means it shows up as available whenever you log into the Apple ID site, thus leading to some of the present confusion.

Turn off, then turn on

With all of that explained, here’s what you need to do to do switch from two-step to two-factor logins and activate the unlock-by-Watch feature.

Before starting: Ensure that you really do have only qualifying devices connected to your iCloud account. Log in to appleid.apple.com and look at the Devices section. If any device is running a version of anything before the 2015 OS updates (iOS 9, watchOS 2, and El Capitan), you won’t be able to use 2FA.

Log in to appleid.apple.com. (You have to use a two-step code to confirm this, if two-step is truly enabled.)

In the Security section, a label should appear with Two-Step Verification and the word On underneath it. If it doesn’t, skip until step 6. (If you have no two-anything enabled, a link to enable two-step verification appears – don’t click it! It’s not what you want.)

Click Edit to the right of the Security section.

Click Turn Off Two-Step Verification, and then click again at the confirmation pop-up.

Apple will prompt you for security questions to protect your account. You need to create these, because you’re protected for the moment only by your password. Fill those out and proceed.

Go to any device associated with the account, Mac or iOS, and follow the appropriate steps below.

On a Mac:

Open the iCloud system preference pane.

Click Account Details.

Enter a password when prompted.

Click the Security tab.

Click Turn on Two-Factor Authentication and follow the prompts.

In iOS:

Tap Settings > iCloud.

Tap your Apple ID and enter the password if prompted.

Tap Password & Security.

Tap Turn on Two-Factor Authentication and follow the prompts.

I’d recommend having not just one backup phone number. If you have a partner, family member or close friend you can trust, add their number as well. This will help if all your hardware is lost or stolen in a fire, accident, break-in or robbery, and you want to gain access to your account quickly and lock things down or recover data.

Now, finally (finally!), you can let your Watch unlock your Mac. Check that Bluetooth and Wi-Fi are both enabled on your Mac, and you’re using the same iCloud account with the Watch and with the Mac. Your Watch also has to have a passcode set, which is a really good idea regardless.

On your Mac:

Open the Security & Privacy system preference pane.

Click the General pane if it’s not the one displayed.

Click the lock icon at the bottom to make changes, and enter your password.

Check the box labeled Allow Your Apple Watch to Unlock Your Mac.

If Step 4 doesn’t show that checkbox, something isn’t set up correctly with 2FA or devices using the same iCloud account.

Now sleep your Mac, wake it and unlock it!

Coda

My friend John managed to make his way through all this with a little help from me, but then was stymied: his Watch still wasn’t letting him unlock his Mac. By trial and error, he figured it out. He sent me some profane tweets with the details that I’ve, ahem, cleaned up into the following two steps:

Tap Settings > Messages > Send & Receive.

Tap Use My Apple ID.

This pushed his iCloud information to his Watch and finished the setup.